• Opaque token introspectors should not allow empty credentials #19201

• Bump @springio/antora-extensions from 1.14.11 to 1.14.12 in /docs #19235
• Bump actions/checkout from 6.0.2 to 6.0.3 #19271
• Bump antora from 3.2.0-alpha.11 to 3.2.0-alpha.12 in /docs #19181
• Bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.33 #19228
• Bump ch.qos.logback:logback-classic from 1.5.33 to 1.5.34 #19268
• Bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 #19133
• Bump com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.22.0 #19246
• Bump com.google.code.gson:gson from 2.13.2 to 2.14.0 #19125
• Bump com.nimbusds:oauth2-oidc-sdk from 11.37 to 11.37.1 #19157
• Bump com.nimbusds:oauth2-oidc-sdk from 11.37 to 11.37.2 #19195
• Bump com.webauthn4j:webauthn4j-core from 0.31.3.RELEASE to 0.31.5.RELEASE #19148
• Bump com.webauthn4j:webauthn4j-core from 0.31.5.RELEASE to 0.31.6.RELEASE #19263
• Bump gradle-wrapper from 9.4.1 to 9.5.0 #19135
• Bump gradle-wrapper from 9.5.0 to 9.5.1 #19171
• Bump io-micrometer from 1.16.5 to 1.17.0 #19287
• Bump io.mockk:mockk from 1.14.9 to 1.14.11 #19244
• Bump io.projectreactor:reactor-bom from 2025.0.5 to 2025.0.6 #19296
• Bump org-jetbrains-kotlin from 2.3.20 to 2.3.21 #19126
• Bump org-jetbrains-kotlin from 2.3.21 to 2.4.0 #19264
• Bump org-opensaml5 from 5.2.1 to 5.2.2 #19176
• Bump org.apache.maven:maven-resolver-provider from 3.9.15 to 3.9.16 #19190
• Bump org.apereo.cas.client:cas-client-core from 4.1.0 to 4.1.1 #19200
• Bump org.hibernate.orm:hibernate-core from 7.3.1.Final to 7.3.2.Final #19119
• Bump org.hibernate.orm:hibernate-core from 7.3.2.Final to 7.3.3.Final #19149
• Bump org.hibernate.orm:hibernate-core from 7.3.3.Final to 7.3.4.Final #19165
• Bump org.hibernate.orm:hibernate-core from 7.3.4.Final to 7.3.5.Final #19191
• Bump org.hibernate.orm:hibernate-core from 7.3.5.Final to 7.3.6.Final #19211
• Bump org.hibernate.orm:hibernate-core from 7.3.6.Final to 7.4.0.Final #19226
• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.10.2 to 1.11.0 #19166
• Bump org.junit:junit-bom from 6.0.3 to 6.1.0 #19197
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 #19169
• Bump org.springframework.data:spring-data-bom from 2025.1.5 to 2025.1.6 #19290
• Bump org.springframework.ldap:spring-ldap-core from 4.0.3 to 4.1.0 #19291
• Bump org.springframework:spring-framework-bom from 7.0.7 to 7.0.8 #19285
• Bump spring-io/spring-release-actions from 0.0.4 to 0.0.5 #19179
• Bump tools.jackson:jackson-bom from 3.1.2 to 3.1.3 #19147
• Bump tools.jackson:jackson-bom from 3.1.3 to 3.1.4 #19245
• Bump tools.jackson:jackson-bom from 3.1.4 to 3.2.0 #19286
• Update to spring-data-bom 2026.0.0 #19303

• Release 7.1.0 #19218

• FormPostRedirectStrategy should not emit percent-encoded values into hidden form inputs #19137
• AbstractAuthenticationFilterConfigurer should not automatically pick up servlet path #19128
• Principal Extractor should select the left-most RDN attribute value #19254

• Bump antora from 3.2.0-alpha.11 to 3.2.0-alpha.12 in /docs #19184
• Bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.34 #19266
• Bump com.webauthn4j:webauthn4j-core from 0.31.3.RELEASE to 0.31.5.RELEASE #19151
• Bump com.webauthn4j:webauthn4j-core from 0.31.5.RELEASE to 0.31.6.RELEASE #19265
• Bump gradle-wrapper from 8.14.4 to 8.14.5 #19160
• Bump io-micrometer from 1.16.5 to 1.16.6 #19292
• Bump io.mockk:mockk from 1.14.9 to 1.14.11 #19247
• Bump io.projectreactor:reactor-bom from 2025.0.5 to 2025.0.6 #19298
• Bump org-bouncycastle from 1.80 to 1.80.2 #19193
• Bump org.apache.maven:maven-resolver-provider from 3.9.15 to 3.9.16 #19192
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 #19174
• Bump org.springframework.data:spring-data-bom from 2025.1.5 to 2025.1.6 #19294
• Bump org.springframework.ldap:spring-ldap-core from 4.0.3 to 4.0.4 #19289
• Bump org.springframework:spring-framework-bom from 7.0.7 to 7.0.8 #19288
• Bump spring-io/spring-release-actions from 0.0.4 to 0.0.5 #19182
• Update to Micrometer 1.16.5 #19225

• Release 7.0.6 #19239

• FormPostRedirectStrategy should not emit percent-encoded values into hidden form inputs #19136

• Bump antora from 3.2.0-alpha.11 to 3.2.0-alpha.12 in /docs #19185
• Bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.34 #19299
• Bump com.fasterxml.jackson:jackson-bom from 2.18.6 to 2.18.7 #19129
• Bump com.fasterxml.jackson:jackson-bom from 2.18.7 to 2.18.8 #19297
• Bump gradle-wrapper from 8.14.4 to 8.14.5 #19159
• Bump org-bouncycastle from 1.80 to 1.80.2 #19204
• Bump org.apache.maven:maven-resolver-provider from 3.9.15 to 3.9.16 #19205
• Bump org.hibernate.orm:hibernate-core from 6.6.49.Final to 6.6.50.Final #19150
• Bump org.hibernate.orm:hibernate-core from 6.6.50.Final to 6.6.51.Final #19213
• Bump org.hibernate.orm:hibernate-core from 6.6.51.Final to 6.6.53.Final #19300
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 #19173
• Bump org.springframework:spring-framework-bom from 6.2.18 to 6.2.19 #19293
• Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 #19124
• Bump spring-io/spring-release-actions from 0.0.4 to 0.0.5 #19183
• Update micrometer-bom to 1.15.12 #19302
• Update to Micrometer 1.15.11 #19224
• Update to reactor-bom 2024.0.18 #19301

• Release 6.5.11 #19118

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.321...7.21.0-rc.322

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.320...7.21.0-rc.321

• c526eb2: [js] Add Javascript/Typescript CDDL code generator for WebDriver BiDi (#17574) (Puja Jagani) #17574
• d33b389: [SM] Automatically prune cache entries older than 30 days (#17585) (David Burns) #17585

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.319...7.21.0-rc.320

• Include zone ID in CronTrigger's equals/hashCode implementations #36871
• Expose ClassLoader from DefaultDeserializer #36833
• Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
• Eagerly compute exit descriptors for negative literals #36801
• Revise property accessor algorithms #36800
• Improve path pattern matching #36799
• Refine default view name resolution #36793
• Refine Jackson JMS converters #36791
• Improve ABNF rule checks in RfcUriParser #36787
• Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
• Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
• Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
• Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
• Improve error messages in SpEL #36756
• Improve pattern caching in SpEL #36755
• Avoid ResolvableType#forType contention for implicit cache cleanup #36745
• Switch to JdkIdGenerator for WebSocket Sessions #36740
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
• LiteWebJarsResourceResolver does not resolve directories #36726
• Warn against unsafe static resource locations in MVC and WebFlux #36692
• Consistent compatibility with Woodstox as an alternative to Xerces #36682
• Improve principal checks for SockJS session #36681
• Set host header consistently in STOMP relay CONNECT frames #36673
• Support Micrometer context propagation in Kotlin Flow #36667
• Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36869
• Server Sent Event does not support multi-line comments #36866
• CronExpression skips days on midnight DST gap #36865
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36835
• Preserve generic type info in awaitEntity() #36834
• Bean Background Bootstrap and Lazy Init #36844
• Back-off for DefaultMessageListenerContainer with OracleAQ has changed and is very short in SpringBoot 4 #36809
• Character outside of permitted range in Content Disposition #36805
• Fix JSP tag processing #36797
• Fix script processing capabilities #36795
• Jaxb2XmlEncoder exclusivity prevents JacksonXmlEncoder usage and hinders POJO serialization #36776
• JacksonXmlEncoder.canEncode incorrectly returns true for String body with application/xml #36775
• Consistently expose map key quotes in PropertyAccessorUtils #36765
• Fix fragment parsing for relative URI in RFC URI parser #36762
• Fix race condition in InMemoryWebSessionStore #36742
• Parsing failure for MIME type with quoted parameter values #36730
• Circular dependency between supplier-created beans is silently ignored on startup #36725
• Data is lost for joined DataBuffer in DataBufferUtils #36714
• Cache collisions in CachingResourceResolver #36713
• Unexpected path element removal when resolving versioned resources #36698
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36694
• Regression on value class parameter handling #36665
• Fix inverted logic for boolean last flag in JettyWebSocketSession when sending binary message #36650
• Parent traceId is not reused when calling WebClient.awaitExchange function #36182

• Fix broken links to Selenium documentation #36875
• Fix applicability note on setAutoGrowCollectionLimit #36863
• Document @Conditional gating of nested @Configuration classes #36831
• Javadoc of nestingLevel parameter in MethodParameter constructor is inconsistent with actual implementation #36826
• Re-structuring of Data Binding Content in Web Sections of Documentation #36803
• Fix typos for validateExistingTransaction #36767

• Upgrade to Micrometer 1.16.6 #36883
• Upgrade to Reactor 2025.0.6 #36884

Thank you to all the contributors who worked on this release:

@0AndWild, @Dennis-Mircea, @cookie-meringue, @daguimu, @dmitrysulman, @kilink, @kzander91, @leestana01, @mguiking, @quaff, @seonwooj0810, @sgerke-1L, @shenjianeng, @tianhaocui, @wushiyuanmaimob, and @zmovo